bind KDC to single interface?

Dennis Davis D.H.Davis at bath.ac.uk
Tue Feb 23 06:46:19 EST 2010


On Tue, 23 Feb 2010, Ken Raeburn wrote:

> From: Ken Raeburn <raeburn at MIT.EDU>
> To: Greg Hudson <ghudson at MIT.EDU>
> Cc: "kerberos at mit.edu" <kerberos at MIT.EDU>
> Date: Tue, 23 Feb 2010 07:17:17
> Subject: Re: bind KDC to single interface?
> 
> On Feb 22, 2010, at 18:32, Greg Hudson wrote:
> > On Mon, 2010-02-22 at 16:56 -0500, Abe Singer wrote:
> >> Am I missing something in the documentation, or is there no way to tell
> >> krb5kdc to bind to a single network interface (as oppposed to binding to
> >> all of them)?
> > 
> > My reading of the code is that the KDC listener sockets are always bound
> > to INADDR_ANY (or the IPv6 equivalent).
>
> Sort of... the KDC needs to be able to return a response from the
> same (KDC-side) address that the client used, so it either needs
> something like IP(V6)_PKTINFO support, in which case it can use
> IN(6)ADDR_ANY, or it needs to bind a socket on each local address.
> While I've occasionally heard queries about whether it's possible
> to bind to one address only, and it would probably be good to
> offer that someday, I've never heard anyone indicate why accepting
> Kerberos traffic on the other addresses is a problem....  Perhaps
> if you want to run a KDC for a different realm on a different
> address on the same machine, but you can serve up multiple realms
> from one KDC process.  Or maybe they're running the KDC on a
> machine accessible from both internal and external networks, and
> have a security policy in place that prohibits the latter because
> of the offline-password-attack risk?

This is where your firewalling software (iptables on Linux, pf on
OpenBSD etc) comes in.  Use it to make sure that only Kerberos
connections on the desired interface are allowed and all others are
denied.

I'd also be strongly tempted to make pre-authentication the default
on all principals if offline-password-attacks are a worry.
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis at bath.ac.uk               Phone: +44 1225 386101



More information about the Kerberos mailing list